I need to calculate Windows user session duration times using winlogbeat event codes like 4624 (login) and 4634 (logout) & create a visualization to display each user's duration. I'm using a heatmap visualization. I found an old thread with a similar objective here:
I created a continuous transform using an identical aggregation however the destination index contains gaps ie several months with no data when the source indices are populated for the last 90-100 days.
For added context, I initially created a batch transform that did populate the data for the entire time period. The issue was that it doesn't continue updating since batch transforms only run once. This is why I switched to continuous.
Does anyone know why there's gaps in the data? I need the transform to run over the entire source index chronologically and continue updating the destination index on a daily basis.
P.S. If there's a more efficient way of tackling this problem, I'm open to suggestions. Thanks!